[英]Pass username and password in URL for HTTP Basic Auth
When passing username and password encoded in URL, eg: https://Aladdin:OpenSesame@www.example.com/index.html 传递URL中编码的用户名和密码时,例如: https:// Aladdin:OpenSesame@www.example.com/index.html
Is the client in fact sending this in Authorization header? 客户端实际上是通过Authorization标头发送的吗? What kind of processing is needed on server side for this kind of URL encoding?
对于这种URL编码,服务器端需要什么样的处理?
Is the client in fact sending this in Authorization header? 客户端实际上是通过Authorization标头发送的吗?
It depends on what the client is. 这取决于客户是什么。 If the client is a browser, the answer is no.
如果客户端是浏览器,答案是否定的。 Here is the experiment result:
这是实验结果:
Generally speaking, browser will ignore authenticate information proactively sent in URL, for security reason. 一般来说,出于安全原因,浏览器将忽略在URL中主动发送的身份验证信息。
However, if the client is a development tool, the authenticate information may be encoded in base64 and sent as Authorization header. 但是,如果客户端是开发工具,则可以在base64中对身份验证信息进行编码,并将其作为授权标头发送。 Here is some experiment result:
这是一些实验结果:
Whether the authorization header is sent depends on the tool's design. 是否发送授权标头取决于工具的设计。
What kind of processing is needed on server side for this kind of URL encoding? 对于这种URL编码,服务器端需要什么样的处理?
In server side, all you need to do is get the base64 encoded string from Authorization header, decode it, and check whether it is valid. 在服务器端,您需要做的就是从Authorization标头获取base64编码的字符串,对其进行解码,并检查它是否有效。
Would it be any different if HTTP protocol is used in example URL? 如果在示例URL中使用HTTP协议会有什么不同吗?
For security, yes, Authorization header through HTTP is very insecure. 为了安全起见,是的,通过HTTP的授权标头是非常不安全的。 Base64 encoding/decoding will not make any security benefit, it can be decoded by everyone.
Base64编码/解码不会带来任何安全性好处,它可以被所有人解码。
Otherwise, they are the same. 否则,他们是一样的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.